Bug 1666 - One-way external ADS trusts show up as DISCONNECTED
One-way external ADS trusts show up as DISCONNECTED
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.6
All All
: P3 major
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-25 10:25 UTC by Marc Kaplan
Modified: 2005-08-24 10:21 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Kaplan 2004-08-25 10:25:34 UTC
I have the following situation:

[Eng-ADS.Test1]---trusts--->[TS-ADS.Test2]
      ^
      |
      |
[Samba Server ] (Member of Eng-ADS.Test1)

This is an external trust, and both sides of the trust are established (incoming
and outgoing). However, it's a one way trust, in that Eng-ADS.Test1 trusts
TS-ADS.Test2, but TS-ADS.Test2 does not trust Eng-ADS.Test1. In this case,
winbindd shows the following when I run wbinfo --sequence:

sh-2.04# wbinfo --sequence
ENG-ADS : 145596
TS-ADS : DISCONNECTED

From the log.winbindd at debug level 10 perspective, I get the following:
krb5_get_credentials failed for ts-adsdc$@TS-ADS.TEST2 (Server not found in
Kerberos database)
failed kerberos session setup with NT_STATUS_OK

I think I talked to Andrew B. at one point about this, and he said that there
was no way this could work, but it's been a while. Windows in this case works
fine, ideally we should be able to work with a one way external trust too.

This same situation works fine if the one way trusted domain in question is an
NT4 domain.
Comment 1 Gerald (Jerry) Carter 2005-02-17 09:58:34 UTC
I've got reports that this is working much better in 3.0.11.  
Please retest and reopen iof the issue is still present.  Thanks.
Comment 2 Gerald (Jerry) Carter 2005-08-24 10:21:29 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.